INFORMATION SECURITY MANAGEMENT IN SMES : FACTORS OF SUCCESS

While the consecutive metamorphoses in the world economy changes the paradigm of doing business, the sources of success of almost every type of business transfer from tangible to intangible assets, and the information and its value becomes more and more significant, especially in the segment of small and medium sized enterprises. The aim of this paper was to identify the factors of success of information security management in segment of SMEs in Slovakia. Based on the literature research we identified 4 main factors of success of information security management, including the Compliance of information security management with the company's business activities, Support of top management, Security controls and Organizational awareness. To identify the importance and interconnections of the specified factors we have addressed senior IT security experts from SMEs in Slovakia. The experts evaluated the significance and relationships the factors of success of information security management and the results of the expert evaluation were processed using the DEMATEL technique. The results of the research show that the Security Controls and Supportive top management are the most important factors in general, while the factor of organizational awareness is the most obvious and important in the short-term period. Our results imply that SMEs should promote organizational awareness in information security management in line with implementation of the security controls at the first line of the defense.


Introduction
While the consecutive metamorphoses in the world economy changes the paradigm of doing business, the sources of success of almost every type of business transfer from tangible to intangible assets, and the information and its value becomes more and more significant.Belan (2015) state that information becomes the most important competitive assets of the company and that information becomes a high market value goods.Khouri (2009) confirms that information is one of the most important assets that organizations have, and therefore, it needs the protection which is adequate to its value.Sklenár and Čimová (2018) declare that however, the progress in the development of the digital economy is crucial for the improvement of the competitiveness of the EU economy, the use of ICT is also highly associated with threats.Information currently became a potential target for threats and needs to be protected.While information itself is a type of intangible capital its value is not easy to assess.However, traditional performance measurement methods focus on known financial measures, they are not satisfactory to describe and manage intangible information assets (Huang et al., 2006).Polkowski and Dysarz (2017) note that the interest in aspects of information security management for researchers, traders and users is increasing.
It is generally known that small and medium-sized enterprises (SMEs) are one of the most important and valuable part of the world economy (Badulescu, 2010;Karpak and Topcu, 2010;Maciejewski and Wach, 2019), and as the most important engine of an economic growth (Henderson and Weiler, 2010).99 % of all companies in the USA and the European Union belong to a category of SMEs (Bhaird, 2010;Peracek at el., 2018).Slovak economy, where our research takes place, is not an exception.The share of SMEs in this country reaches is 99.9 % of the total number of enterprises, their share of the state's value added is about 53 % (Slovak business agency, 2015).According to the same data source SMEs employ more than 72% of labor force in this country.
However, Verbano and Venturini (2013) insist that all enterprises need to adopt risk management strategy and methodology to identify, assess and treat risks to survive on the market, only large enterprises do usually have a well-developed risk management and are applying risk limiting instruments, while SMEs do not often know that these instruments even exist (Belás et al., 2014).The research in the field of risk management by Adásková (2009) confirmed that 76% of SMEs usually address the risk via an intuitive approach, and only 36.5% of them uses risk management systems.While SMEs belong to the most vulnerable business segment, underestimation of the risks in the field of information security management may be crucial for these enterprises.
The aim of this paper is to identify the factors of success of information security management in segment of SMEs in Slovakia.The paper has the following structure.The first chapter brings the results of the literature research on the topic of information security management.The second chapter presents the applied methodology together with the description of the key factors of information security management.The third chapter presents the results of the case study, and the last chapter brings a shorts discussion and conclusion of the study.

Literature review
Information security is one of the key areas of organizational security management.Security Management is a field of management that addresses the security of assets in an enterprise.According to Khouri (2009), information security means the protection of information during its creation, processing, storage, transmission and disposal, through logical, technical, physical and organizational measures that counteract the loss of confidentiality, integrity and availability.Information security management is according to ISO / IEC 2000: IT service management a "set of tools and measures ensuring the security of information and their flows in the company".
Information Security Management is a part of the overall organization management system, the foundation for managing security risks, the goal of which is to establish, implement, operate, monitor, review, maintain and improve information security in the organization (Rajnoha et al., 2017;Radu, 2018;Davidekova et al. 2016;Lengyel et al., 2017;Tvaronavičienė, 2018;Davidavičienė et al., 2019).

ENTREPRENEURSHIP AND SUSTAINABILITY ISSUES
ISSN 2345-0282 (online) http://jssidoi.org/jesi/2019 Volume 6 Number 4 (June) http://doi.org/10.9770/jesi.2019.6.4(37)2083 According to the same authors the organization's management should establish a clear information security policy orientation in line with the organization's objectives and demonstrate support for, and commitment to, information security through the publication and maintenance of an information security policy across the organization.Hudec (2014), Gródek-Szotak and Nesterak (2017) or Korenkova et al. (2019) declare that the information security policy document should be approved by the management of the organization and should contain opinions on the definition of information security, its overall purpose and scope, its importance as a mechanism for sharing information.
According to Dekýš (2010), small and medium-sized enterprises form a specific environment in terms of enforcement and information security management.The differences with large companies are as follows (Dekýš, 2010): non-existing or just a minimal security team; missing budget for information security, or a budget as a part of the general IT budget; lower range of financial, time and human resources allocated to information security; use of the open-source projects to minimize ITC expenditures; security management performed by the IT department.
According to Millaire et al. (2017), Mandorf and Gregus (2014), Zavadska and Zavadsky (2018) a fundamental reason why SMEs are a popular target for threats is that attackers are looking for simple goals and small companies with limited budgets and don't consider cyber security to be important.SMEs they are easier to disrupt than large enterprises that invest substantial amount of funds in the security of information systems (Millaire et al., 2017).Hau et al. (2016) note that most companies do not know for months that they have been attacked.According to FireEye (2016), most companies were not able to identify for months that they were attacked (469 days on average since the incident after detection).FireEye (2016) also stated that while the media mostly present the information about the data breaches of the giant corporations, as many as 77% of cybercrime is actually targeting SMEs.
Most cyberattacks on small and medium-sized enterprises (SMEs) are the result of a bad password (Ashford, 2017).Some password management suggestions are also presented by Chmielarz and Zborowski (2017).For the successful implementation of security policy, critical factors need to be identified and the level of importance of each one assessed.The study by Lopesa and Oliveira (2015) or Vilcekova et al. (2018) contributes to the identification of these factors by presenting the results of a survey of security of information systems in SMEs.The aim of the study by Tu and Yuan (2014) was to identify the factors of successful implementation of information security management in an enterprise.Based on the twenty most relevant and recent studies, they identified ten factors that may be considered important in implementing information security management.The most important factors in determining the successful implementation of information security management are employee awareness and training, as well as the support for senior management.The importance assessment for both specified factors is almost the same.Tu, et al. and(2018) andOlah et al. (2019) focused the study on identifying and modeling factors that contribute to the success of information security management.They identified six critical success factors.The authors concluded that, through business alignment, organizational support, IT competencies and organizational awareness of security risks and controls, information security controls can be effectively developed, leading to the success of information security management.Each of these factors affects information security, while the complex solutions include combinations of all of them.
Zamman and Razali ( 2016) identified three aspects of information security management success factors based on expert opinionspeople, process and organization.Waly, Tassabehji and Kamala (2012) concluded that information security can be managed through three separate mechanisms: organizational factors, behavioral factors and education.
In the paper by Kazemi et al. (2012), the authors identified the following factors for the success of the implementation of information security management: support for senior management, information security policy, labor responsibility, employee motivation, awareness and training programs, information security compliance, international standards, and the use of information security services by external consultants.
Alnatheera (2015) identified the following factors of successful information security management -promoting top management for information security, creating an effective information security policy, information security and training and organizational culture.Alnatheera (2015) also stated that ethical norms and policies may vary from country to country.
Based on the previous literature review we have decided to narrow down the scope of our research and focus on 4 main factors of success of information security management, defined by most of the authors as the most important: Compliance of information security management with the company's business activities (F1), Support of top management (F2), Security controls (F3) and Organizational awareness (F4).All factors are also expressed in the ISO 27001 standard.
Focus on the factor F1 can be defined as follows.Business compliance and business strategy with information security management strategy are consistency in addressing needs, requirements, goals, and information security management structures.An effective strategy must ensure and protect information assets while enabling business.Experts have pointed out that protecting information resources from potential threats should be part of a business strategy as it can provide a competitive advantage to a business (Soomro et al., 2016).Information security objectives and activities must be consistent with business objectives and requirements and be managed by business management (Kayworth and Whitten, 2010;Ma et al., 2009).There must be close collaboration between information security managers and business managers.
Information security management practices must be consistent with the organization's business strategies (Chang et al., 2011).The aim of reconciling information security with the business strategy is to support business objectives in the business sector (Herath et al., 2010).Security management must be business-driven and based on business goals, values or needs (Spears and Barki, 2010).
The role of the second factor F2 may be justified by the following findings of the experts in the field.Soomro et al. (2016) emphasize the role of management in information security management.Management must actively support information security efforts at all levels.Top management engagement can in many ways support information security -from funding and human resource allocation to highlighting the importance of security for other business components (Kayworth and Whitten, 2010).Kazemi et al. (2012) consider supporting top management as an important factor in the success of information security management.Whitman and Mattord (2012) argue that providing information security is the responsibility of the top management.Promoting top management is very important for successful information security management (Kayworth and Whitten, 2010;Ma et al., 2009;Ma et al. 2009;Tu and Yuan (2014).In addition, top management plays the most important role in creating effective organizational structures, as organizational structure is very important to information security management.
The role of the factor F3 refers to technical and procedural information security controls, including risk management, security policies and application of standards.Organizations need to implement security controls and use them to protect information security.Security policies and countermeasures can protect information systems from security risks.Tu, et al. and (2018).Tu and Yuan (2014) identified the following crucial processes for developing security controls: risk management, security policy implementation, and compliance.Risk management is considered the most effective approach to identifying the most effective set of security controls.Security policies are an example of organizational solutions to security problems -they are countermeasures and strategies taken to reduce systemic risks.If an enterprise wants to successfully implement information security management, the relevant standards must be followed (Yildirim et al., 2011).
The factor F4 refers to workers' knowledge of information security risks, policies and related practices.In a broader sense, this also includes an information security culture, that is the way in which people rely on information security in the enterprise.Employees should have adequate literacy in case of information technology.IT literacy provides the basis for key security concepts (Culnan et al., 2008).Waly, Tassabehji and Kamala (2012) emphasize the need for education.Thus, training can increase employee awareness, understanding and participation in information protection (Ma et al., 2009).It is of the utmost importance that the company supports standards and procedures for building information security, says Tu and Yuan (2014).Information security policy will not be effective without training (Soomro et al., 2016).Empirical evidence suggests that it is difficult to implement security controls if people do not have sufficient training on best IT security practices (Werlinger et al., 2009).

Aim and methodology
The aim of this paper is to identify the factors of success of information security management in segment of SMEs.The research is geographically focused on Slovakia.At the base of the literature research of the most important information security management success factors the research team narrowed the scope of the research at four main factors: Compliance of information security management with the company's business activities (F1),

Support of top management (F2), Security controls (F3) and Organizational awareness (F4).
The research team formulated the following scientific hypotheses: H1: Four main factors (F1 to F4) of information security management are equally important.H2: The cause and effect relationship among the factors of information security management (F1, F2, F3 and F4) does not exist.
In small organizations, responsibility for safety management is concentrated at the level of the statutory body, as it is not effective to employ a dedicated full-time security manager.Another solution is to accumulate functions within an enterprise or outsource an information security manager (CISO).The questionnaire research in the field of information security management of SMEs is quite problematic.Kotulic and Clark (2004) conducted a survey related to information security management in the USA and found that as many as 23 percent of the respondents who refused to answer the questions in the questionnaire declared that they are not eager to share any information about their computer security policies with outside entities.
Facing the risk of getting unreliable data from not sufficiently experienced respondents the research team decided to conduct the research with the use of the structured expert evaluation method applied on a selected group of senior IT security experts accompanied by the use of appropriated sophisticated statistical tools.We have addressed ten senior information security management experts from the insurance and banking sectors in Slovakia and asked them to respond to our questions.None of the contacted experts refused to cooperate.This number of experts is sufficient for the method of structured expert evaluation since the usual number of experts for the DEMATEL technique is around sixthe quantity if replaced by the quality and preciseness in this case (Lo and Chen, 2012, Tianshui and Gang, 2014, Hu and Chen, 2016).The questions in the survey were formulated in a way that allowed to evaluate the answers using the DEMATEL technique.The experts evaluated the significance of four factors from the view point of success of information security management.When making expert estimates, the experts were asked to address the issue of information security management in a specific area, namely in case of SMEs.The results of the expert evaluation were processed using the DEMATEL technique.
The DEMATEL technique (Decision making trial and evaluation laboratory) is considered to be an effective method for identifying the components of the cause and effect chain of a complex system.This technique deals with evaluating interdependent relationships between factors and identifying critical factors through a structural model with the use of a digraph to illustrate relationships.Lo and Chen (2012) proposed a hybrid procedure for assessing the level of information security in various security controls using the DEMATEL technique.Tianshui and Gang ( 2014) have proposed a new security and privacy assessment model for the information system.Hu and Chen ( 2016) identify important security factors for e-government cloud computing using DEMATEL.
DEMATEL was developed at the Geneva Research Center at the Battelle Memorial Institute (Tan and Kuo, 2014).
While considering the number of factors , , ..., . in a first step the experts , , ..., are invited to quantify the direct effect of factor on factor ( The experts evaluate the significance of factors using the "no impact (0)", "low impact (1)", "medium impact (2)" "high impact (3)" and "very high impact (4)" scales.
We designed individual direct-influence matrices from the expert evaluations.By aggregating expert opinions, we got a group direct-influence matrix: Z = ; .
The normalized direct-influence matrix is obtained using the following transformation: ; .
Using the normalized matrix of direct influence, we calculated the total influence matrix T = ( ) by adding all the direct effects and all indirect effects where is a unit matrix.
In the next step, we constructed an influential relation map (IRM).Let R be the vector of the sums of the individual columns and C is the vector of the sums of the individual columns of the matrix T. Then = ; and = ; . ; , represent the sum of the direct and indirect effects that depend on factor towards other factors.

Values
represent the sum of the direct and indirect effects that factor receives from other factors.
Values represents degree of central role.The higher the centrality degree is, the more important the factor is.
shows the degree of relation.Relation divide the criteria in to cause and effect group.If is positive then factor belongs to cause group.If is negative then factor belongs to effect group.
The representation of the values (R + C, R-C) in the graph gives us valuable information for the decision making.Factors in quadrant I are identified as major factors.They have a high degree of importance and important relationships.Factors in quadrant II are identified as driving factors because they are of little importance but a high degree of relationships.Factors in quadrant III have little importance and little degree of relationships.They are relatively disconnected from the system.Factors in quadrant IV are of high importance, and low degree of relationships; so-called impact factors.They are influenced by other factors.They cannot be directly improved.
In many articles there is a threshold value used.It allows to filter out negligible effects.We determined the threshold value as the maximum value of the diagonal elements of the matrix T (Tan and Kuo, 2014).
We calculate the weight of importance of the -th criterion from the relationship .

Results and Discussion
The following matrices present the results of the DEMATEL technique application.A group direct-influence matrix Z, normalized group direct-influence matrix X and total influence matrix are as follows The importance of the four factors is prioritized based on (r + c) values.It is evident from Table 1 that the most important factor within the causal relation is F3 (Security Controls) with the largest (r + c) value 6,44 and factor F2 (Top Management) with the (r + c) of 5,79, followed by the F1 (Compliance) with the value of 5,21.The factor F4 (Awareness) is a little less important with the value of 4,68.The hypothesis H1 was rejectedthe importance of the selected factors F1 to F4 is not equal.In case of the limited budget on information security management, SME should focus the attention on the Security controls at the first place.
The centrality degree represents the strength of the effect on success of information security management.The results of the research identified that the Security Controls is the most important factor of success of information security management.The results of technical and procedural information security controls, risk management and application of standards reflect the success of information security management.The second most important factor is the supportive top management.Top management really plays the most important role in the company in the field of information security.This result is in line with the articles that highlight the importance of topmanagement support.Information security management must be consistent with the company's business activities.They must not prevent them but help them.Therefore, the importance of the compliance with information security management with business activities of the company is considered as relevant.Several studies have also confirmed the importance of organizational awareness.
The weight of the factors corresponds with significance is presented in the Figure 1.The positive value of (r-c) of the factor classified it to the cause group that directly affected the others.The highest (r-c) valued factors also had the greatest direct impact on the others.The factors F2 (1,94), F1 (0,71) and F3 (0,12) belong to cause group in our case study.
The negative value of the (r-c) of the factor meant that this factor is largely influenced by the others and classified it to the effect group.In case of our research the factor F4 was categorized in the effect group, with the (r-c) value equal to -2,7.Organizational awareness (F4) was the affected the most by Compliance of information security management with the company's business activities (F1), Support of top management (F2), Security controls (F3).These results allow us to reject the hypothesis H2factors F1, F2 and F3 do affect the factor F1.
From the total relation matrix T we will construct an impact-relation map for the success of information security management.The reasoning factors, that are affecting the others, are the most fundamental.These factors not only promote the information security management directly, but also influence the other factors.They are the key factors to establish the long-effect mechanism of the successful security management system.The importance of the top management of the company can hardly be under evaluated since the top management directly influences all the processes inside the company.In spite of the fact, that the factor F2 (the supportive top management) was 2090 identified as the second most important factor, our results also confirmed that the influence of this factor on the other ones is the highest.The effect of the other two factorscompliance of information security management with business activities of the company and security controlsis weaker, but still significant.Any pair of the three factors Compliance of information security management with the company's business activities (F1), Support of top management (F2), Security controls (F3) are mutually influenced by each other.
The result factors are the most direct factors to promote the information security management in the company, but they can be easy influenced by the other factors.Due to this fact our results imply that the factor of organizational awareness (F4) is the most obvious and important factor for the success of information security management in the short term.
Supportive top management especially in area of education, training, increasing IT literacy skills will certainly help the success of management of information security.Compliance of information security management with business activities of the company will also support employees' interest in increasing IT skills.Higher IT skills allow workers to achieve better results in their workplace.Compliance with security policies, standards reduce systemic risks.
The issue of information security management becomes vitally important, especially in the segment of small and medium sized enterprises.The basic reason why SMEs become a popular target for cyber-attacks is the fact that attackers are usually looking for simple goals.Small companies with limited budgets often do not consider cyber security to be important, are easier to disrupt than large ones that invest large amounts in the security of information systems (Millaire et al. 2017).
While 77% of cybercrime focuses on SMEs, 58% of SME managers do not consider cyber-attacks to be a significant risk and 65% of SMEs do not have a security policy, only 10% of computer crimes reported to the police by small and medium-sized enterprises result in the conviction of offenders (FireEye, 2016).

Conclusions
The issue of information security management becomes vitally important, especially in the segment of small and medium sized enterprises.The aim of this paper was to identify the factors of success of information security management in segment of SMEs in Slovakia.
Based on the previous literature review we have narrowed the scope of our research and focused on 4 main factors of success of information security management, defined by most of the authors as the most important, which were Compliance of information security management with the company's business activities, Support of top management, Security controls and Organizational awareness.To identify the importance and interconnections of the specified factors we have addressed senior IT security experts from small and medium sized enterprises in Slovakia.The experts evaluated the significance of four factors from view point of success of information security management and the results of the expert evaluation were processed using the DEMATEL technique.
The results of the research show that the Security Controls, including technical and procedural information security controls, risk management and application of standards reflect the success of information security management is the most important factor of success of information security management.The second most important factor is the supportive top management.Our results also imply that the factor of organizational awareness is the most obvious and important factor for the success of information security management in the short-term period.
Our results imply that SMEs should promote organizational awareness in information security management in line with implementation of the security controls at the first line of the defense in order to protect the information, as the most valuable asset of the company.
Our research has some limitations, mostly related to the number of the experts involved, that was explained by the general unwillingness of the SMEs representatives to share the data about the information security management in their companies.The impact of this limitation was reduced by the usage of the DEMATEL technique, so the results are statistically representative.

Figure 1 .
Figure 1.The weight of the factors Source: Own calculations

Figure 1 .
Figure 1.The cause and effect diagram (Influential relation map IRM) Source: Own calculations

Table 1 .
Total relation matrix and the causal influence levels